Intel c2000 Cisco Clock Signal Replacement

So, you thought you’d buy into the next generation of firewall technology early? #FAIL

After ongoing reporting from The Register, Cisco have finally admitted some of their products are affected by the intel C2000 series chip problem. This affects most (all?) ASA5506’s, 5508’s, and 5516’s, along with some other equipment, for a full list – look at Cisco’s product notices here.

The solution – fill out their spreadsheet with your devices details and get it sent over to Cisco, they promise to replace the equipment as soon as possible. I will keep this topic updated with my experience, but so far the only replies I’ve had to my email with the sheet was a mailbox full message (!) and a confirmation saying that I should get a response within the next two to three weeks, so don’t wait to get your request in.

This problem is not isolated to Cisco equipment, with Synology, Netgear, HP, Dell and Supermicro also having products affected by the faulty chip. For more information head over to The Register for the latest.

So Far the list of chips suspected to be vulnerable to sudden death are the C2308, C2338, C2350, C2358, C2508, C2518, C2530, C2538, C2550, C2558, C2718, C2730, C2738, C2750, and C2758. Although it seems vendors are reluctant to admit to problems being caused by the processors it seems that the writing is on the wall, go out and check what your new network device is actually running, and contact your vendor to make sure they have a plan to get you back up and running when it fails!

 

Site to site VPN between Azure and Cisco ASA

Azure, wow isn’t it amazing? IAAS has arrived, and you can do some pretty cool stuff with azure, without worrying about licensing or hardware, beyond the size and spec of your virtual machines in their Data Centres. But that’s just the bloody problem isn’t it? it’s in their network, not yours! So, you need to set up a site to site link between Azure and your local supported device.

Click here to view a list of supported devices and their configuration instructions. This will tell you what type of VPN your equipment will support, and what you should deploy in Azure portal.

My local supported device is a Cisco ASA, which you will notice is only supported for Policy Based, not route Based VPN, so you need to start out right or you’re going to waste a lot of time deploying VPN gateways in Azure, which takes about 45 minutes. The instructions on GitHub are easy to follow and available here [.docx].

If you follow these instructions, you will get going fairly quickly, but if you have multiple subnets you want to allow to communicate with Azure you will have to make some modifications. For example, my protected wireless network should have access to Azure, because I’m going to put a domain controller on a virtual machine there, to handle DHCP (not supported!), DNS, and 802.1x authentication in a Disaster Recovery scenario.

You will need to modify your NAT like this:

first create names for the networks you want to access your azure networks:

config t
object network mgmtnet
 subnet 10.87.0.0 255.255.255.0
object network wirelessnet
 subnet 10.87.20.0 255.255.255.0

Then create corresponding NAT rules;

nat (inside,outside) source static mgmtnet mgmtnet destination static AzureNetworks AzureNetworks
nat (Wireless,outside) source static wirelessnet wirelessnet destination static AzureNetworks AzureNetworks

Hope this saves you a little bit of time getting multiple subnets to work on your ASA to Azure VPN, if you’re in a rush and follow the instructions a little blindly, but who does that? Not you!

Add Azure Server 2016 Nano to your Active Directory

Ok, so adding a Nano server to your on premise active directory is not as straight forward as you might like, but of course there’s no GUI so what did you expect? The process is not the same as adding server core to your domain, as it can only be managed remotely, you must first connect to the machine using winRM / PowerShell, and perform a three stage operation to join the Azure Nano machine to your domain.

Of course, you’ve already set up your site to site VPN with Azure? No – I haven’t blogged about it yet! Of course, because you’ve read my blog post about that too! It is straight forward enough though, follow the instructions provided, and check your NAT, but other than that it’s a breeze.

First you must deploy your Nano from the azure portal, I’m not going to go through this part here, most of the blogs I’ve seen on the azure portal are out of date or relate to the classic portal, and with a major server OS release having just happened I expect there will probably be more changes to the azure portal, so I’m going to leave that but for now.

Stage one: Connect to the Azure Nano Server using powershell

Open PowerShell locally and start winRM

PS C:\WINDOWS\system32> net start winrm

The Windows Remote Management (WS-Management) service is starting.

The Windows Remote Management (WS-Management) service was started successfully.

You then need to configure your trusted hosts list for winRM (more info on this here).

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.90.10.6"

You’ll then get a warning telling you that you are modifying the Trusted Host list – you want to click yes:

Yes, I'm using ISEYou can then actually connect to your Nano with Enter-PSSession, using the credentials you used to create the machine in Azure

Enter-PSSession -ComputerName "10.90.10.6" -Credential WAN02ADC01PV\svradmin

And You’re IN!

Stage two: Setting things up

So you now need to change the DNS server to be one of your own domains:

netsh interface ip set dnsservers name="Ethernet" static 10.87.0.10 primary

Microsoft have turned the firewall on the Nano on by default, and you will need to enable the firewall ports for file and print services to be able to transfer the file you will create in the next stage: adding it to your domain.

netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=yes

Stage thee: Joining to the domain

Ok, we’re done here for now. Over to your domain joined server, you need to use djoin , which will put the machine into AD and spit out a file for you to import into the Nano, run this command from your desktop to make your life easy, as it the file is generated in the directory it is run from! it looks a little something like this:

C:\Users\madmin\Desktop>djoin.exe /provision /domain WEARENOTHING.COM /machine WAN02ADC01PV /savefile .\WAN02ADC01PV-DOMAIN

Of course, you’ve figure out by now you’re supposed to change the red values to your own, and that 10.90.10.6 is the Nano’s IP, you

Ok, now map a drive to the c$ share on the Nano,

NET USE x: "\\10.90.10.6\c$"

create a folder on the Nano called temp, and copy the file you generated into it, then in the remote PS session, finish it off:

djoin /requestodj /loadfile c:\temp\WAN02ADC01PV-DOMAIN /windowspath c:\windows /localos

You will then see:

Loading provisioning data from the following file: [c:\temp\WAN02ADC01PV-DOMAIN].
The provisioning request completed successfully.
A reboot is required for changes to be applied.

The operation completed successfully.

You will then need to seal the deal with a remote reboot:

shutdown /r

You’re done, it is added, you can now manage it using your domain credentials, and it can be added to server manager, although I don’t believe you will be able to add role and features to it this way, but this may change, who knows.

Cisco VPN Client on Windows 10

OK, so I thought I was pretty lucky to install Windows 10, and the only thing it broke was itself. I turns out I was not so lucky and it has broken my Cisco VPN Client aswell, I am now greeted with the pretty serious looking message shown below, after what looks like the client trying to install itself again after trying to run it:

cisco open install error

Error 27850. Unable to manage networking component. Operating system corruption may be preventing installation.

So, Windows 10 is a corrupted operating system? nice one – I just installed it and now it’s corrupt. Really??! No, but it was fun to procastinate.

So first reaction that something in the Windows 10 upgrade has changed the networking configuration, so we should allow the client to try to repair the install through programs and features control panel, this (sort of expectedly) failed with the same error. But at least we tried it, right?

So lets propperly remove the client and do a full reinstall. Uninstalling the client was unnerving, which is not something I have ever felt when uninstalling an application! The windows installer loading bar, loaded and exited without any prompts, and the client was removed from the list of installed applications. You can see an example of the windows installer progress bar above.

The software failed to install with the same error message we’ve seen twice now. Frustrating? Just a little.

Lets try DNE! Ok so some rebooting invloved here unfortunatly. And also an enlightening experience thinking about my Windows 10  issues. When installng the client after performing the DNE update as per my earlier post, I got some installation problems relating to folder redirection, so I had to install the client using a local admin account. This sort of confirms my suspicious that folder redirection is causing issues with my machine more investigation required on that one I think, I’ll let you know.

Now, rather alarmingly, it seems that the client is on an offical Windows 10 unsupported list, in that if you try to run the .exe to install the VPN client, you get directed to a windows 10 incompatible app page. Run the .msi, everything will be OK..

Back on track, and having now installed the software using the .msi and a local admin account (you will not need to do this if your machine is not domain joined), I have logged back on using my domain account, and hey presto, the client seems to be working. It loads without warning, anyway, it won’t connect though. The log reads Failed to download keys. Error 433, Bitch.

So, apparantly installing another vpn client, the Sonic Wall 32bit or 64 bit client first then installing the cisco client prevents the problem from occouring. So here we go… again… uninstall the cisco VPN client… and reboot.. then uninstall the DNE Update. Then reboot and run winfix again. Reboot, then install sonic wall then cisco VPN client, make sure you apply the registry fix if you get the cannot enable virtual adapter error, and away you go. In business.. 2 hours later…

So, In Summary :

There you go, eight simple steps to get it working again. Simple when you know how.

And the cause? Well Microsoft will update their operating systems from time to time, and Cisco want you to use anyconnect now so havent supported this client for some time, this will get you running for now, but maybe it’s time to start thinking about a new platform?

The Cisco VPN Client used was vpnclient-winx64-msi-5.0.07.0440-k9

Let me know if this works for you, or if it doesn’t!

Cisco VPN wont connect error 442

Welcome to August, let’s kick things off with a classic, this one’s really common, and it’s really super simple to fix. I’ve only seen it on 64bit installations of the Cisco VPN client.

  • Open regedit
  • Find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA
  • There is a String Value called DisplayName Right click and modify 
  • remove @oemX.inf,%CVirtA_Desc%;. The Value data should only contain Cisco Systems VPN Adapter for 64-bit Windows.
  • Reopen the VPN Client

Boom!

Hope this helps

 

UPDATE 20/7/16:

Also seen on Windows 10 32bit, only the string is @oem25.inf,%CVirtA_Desc%;

IP Office VM Pro Installation Error 1327

When installing Avaya IP Office Voicemail Pro 9.13.0, I came across this error, 1327 Invalid Drive:<driver letter of problem drive> and was unable to install voicemail pro.

Searching google suggested that a change is made to the registry to resolve this issue for office installs, and some suggested disconnecting the drive and disabling automatic reconnect.

There is, however, an easier solution:

Step 1: Create the local voicemail user

Step 2:  Log in as that user,

Step 3: Run your installation application again. It should now complete without error. If you are asked to restart the machine, you must log in using the local account to continue installation.

Step 4: Once the install is completed, you can continue to use your domain credentials.

I hope this saves you some time.

This problem is not really Avaya related, but an issue with Microsoft Windows, so this procedure may or may not work for you if you are trying to install some other application, but it’s worth a shot. Let me know if it worked for you…

VPN connects but no traffic passes

OK, lets start this off with a fairly uncommon problem that allows a VPN to connect but does not pass any traffic. The VPN profile and account are tested on another machine and found to be working, so the problem is (gasp!)… the client machine!

You can verify this problem by noticing an ‘error with call to iphlpapi.dll’ in the cisco client logs (you may need to enable them on the logs tab of the client).

The rather irritating resolution to this is:

1. Remove Cisco VPN Client
2. Reboot
3. Download ftp://files.citrix.com/winfix.exe and run it
4. Reboot again!
5. download ftp://files.citrix.com/dneupdate.msi for 32-bit or ftp://files.citrix.com/dneupdate64.msi and run the relevant file..
6. Reboot
7. Reinstall the VPN Client.
8. Reboot.
9. The Cisco VPN client should now connect and allow traffic to pass.

This seems to be a problem with DNE, which appears to do some pretty important things with VPN traffic, more information on it is available here: https://www.citrix.com/go/lp/dne.html

I hope this saves you time, and stress, in the future.

 

Update:

I have seen this resolve problems in similar circumstances with WatchGaurd  as well as Cisco ASA’s (5505 or 5510) VPNs aswell, only they actually don’t seem to connect at all, I haven’t seen the error message but if I find it I’ll put it here. Thanks to “The other Martin” for the tip.

Welcome to WeAreNothing

Welcome to WeAreNothing.com, the new home of this blog. I don’t know why I just said new home, because it’s not.. it never existed before so I can hardly call it the new home, so maybe, the first home of my WeAreNothing blog.

Firstly, thanks for visiting, I intend to update this blog regularly (how many times have you heard that before?) so that I can share my personal view on the convergence industry, and by that I mean pretty much anything IT related.

For those of you that have never met me, I am a voice and data engineer from Northern England, I install and maintain Mitel and Avaya phone systems and the systems required for their operation. This means I am frequently required to work with other tech, such as Cisco remote access and site to site VPNs, and VMware. Whilst not my primary focus, it does still interest me, so from time to time you may see me post about these things. I will probably also post about common problems I have seen, these may sometimes seem a little off topic, but this is industry we are in, nobody will have the same problems all the time, and sometimes you will be asked to investigate a problems slightly outside your comfort zone. I hope you may find the answer to some problem you may have on this site at some point.

Please Please Please –  ask questions, get involved. If you disagree with me – challenge me! I look forward to hearing from you.